tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sumit Ranjan" <>
Subject Re: The relationship between Tomcat security mechanism and JAAS?
Date Tue, 31 Jul 2001 10:29:09 GMT
hi Francis !
   i too have a query regards particular authentication.
   my intranet has LDAP where as one of my applications...i.e "jetspeed"
maintains a databse for user-authentication....
  so a user has to authenticate himself again if he comes to jetspeed from
his INTRANET page...
  is there a way we can have a common authntication?...more can i enable my LDAP to talk to my jetspeed or vice
versa.  how can JAAS help me in this regard ?

Please help.


sumit ranjan

----- Original Message -----
From: "Francis Pallini" <>
To: <>
Sent: Friday, July 27, 2001 3:11 PM
Subject: Re: The relationship between Tomcat security mechanism and JAAS?

> Hello,
> As far as I know (and I am not a specialist) :
> Tomcat, Resin and iPlanet do not support JAAS natively. But, at least with
> Tomcat and Resin, it is possible to implement easily an authentication
> scheme (a "Realm") that will be used by the container thanks to a simple
> xml configuration file. At the contrary, jBoss offers built-in JAAS
> and provides the ability to use other vendor-dependant implementations (a
> stub to NTLM for example).
> But what is exactly JAAS ? Java Authentication and Authorization Service
> an optional package for JDK 1.3.x and is incorporated in standard in JDK
> 1.4. It simply provides an architecture for building an A&A service plus
> ready-to-use services like Kerberos, JNDI (LDAP), NT and Solaris login
> modules (I never managed to use the LDAP module) and extends Java security
> mechanisms (that were exclusively code-centric). Thanks to JAAS, you can
> check a user login, and once the user is authenticated, check his
> permissions on the code being executed. Permissions are defined in a
> file.
> How can we take advantage of JAAS in a servlet container ? You can write
> adapter between the container realm and JAAS login modules. Then, you will
> be able to reuse the same code for login modules whatever application is
> using them (web-based or classical application) and provide an uniform
> authentication service. Roles can also be implemented in a more flexible
> and powerful way.
> What about authorization service ? Within an EJB container, code can be
> called by an unauthorized code and JAAS can check that the caller (which
> can be a Java or anything else code) owns sufficient credentials. By the
> way, it doesn't seem to be the jBoss implementation. And that case rarely
> happens in a servlet container (a servlet acting as an entry point for a
> kind of http-based RPC ?).
> I hope I was clear enough and I didn't make too many mistakes ;=)
> Regards,
> Francis Pallini
> At 11:43 PM 7/26/01 -0700, you wrote:
> >Hi
> >Having heard of "JDBCRealm" "JAAS" for months,I still
> >don't catch the meaning.
> >I've noticed that JSP/Servlet spec doesn't metion
> >JAAS,and most container(as Tomcat) doesn't support(or
> >implement) it.
> >So
> >What is the benifit of JAAS?Isn't Tomcat's security
> >mechanism already powerful enough?
> >If someone would like to "implement" JAAS in his
> >application,what to do?
> >
> >Thanks.
> >
> >Pan.
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Make international calls for as low as $.04/minute with Yahoo! Messenger
> >

View raw message